b'\x0cNOAA repurposed the JPSS ground system from its original role of supporting a research and\nprototyping project under the National Polar-orbiting Operational Environmental Satellite\nSystem (NPOESS) 5 to one that supports operational satellites for the JPSS program. This was\ndone due to delays with the NPOESS program. Thus, the ground system now in place was not\noriginally intended to support operational satellites nor was it designed to meet Department of\nCommerce IT security requirements. 6 In 2010, NOAA began to modify the ground system to\nsupport the newly established JPSS program but, until January 2014, the program did not\nrequire the ground system contractor to begin full implementation of the majority of the\nsecurity controls for the system. As a result, few security controls are fully implemented and\nmany high-risk vulnerabilities exist within the system. Specifically,\n\n    \xe2\x80\xa2   The JPSS program\xe2\x80\x99s security assessments for fiscal years (FYs) 2012 and 2013 found that\n        only about a quarter of the Department\xe2\x80\x99s required National Institute of Standards and\n        Technology (NIST) security controls had been fully implemented.\n\n    \xe2\x80\xa2   Our analysis of the JPSS program\xe2\x80\x99s assessments of system vulnerabilities found that,\n        since FY 2012, the number of high-risk vulnerabilities in the system had increased by\n        two-thirds 7 despite recent efforts the program has taken to remediate these\n        vulnerabilities (see figure 1). Vulnerabilities are defined as high-risk if they are relatively\n        easy for attackers to exploit and gain control over system components. If exploited,\n        these vulnerabilities may make it possible for attackers to significantly disrupt the JPSS\n        mission of providing critical data used in weather forecasting and climate monitoring.\n        Software used by the JPSS system contains vulnerabilities that have been publicly known\n        for several years. Software tools to exploit several of these vulnerabilities are available\n        on the Internet.\n\nNOAA is responsible for ensuring that its IT systems have an appropriate operational security\nposture, which includes timely remediation of high-risk vulnerabilities in the JPSS ground\nsystem. While the program has begun implementing plans to make the necessary changes that\nwill correct the JPSS ground system\xe2\x80\x99s numerous IT security weaknesses and vulnerabilities, the\nmajority of these issues will not be remediated for another 2 years.\n\n\n\n\n5\n  The National Polar-orbiting Operational Environmental Satellite System (NPOESS) was created in 1994. In 2010,\na portion of it was restructured as the JPSS program. The ground system supported the NPOESS Preparatory\nProject (NPP), which was intended to demonstrate new instruments.\n6\n  The NPOESS was a tri-agency program including NOAA, NASA, and the Department of Defense. The ground\nsystem was built to meet Department of Defense security requirements.\n7\n  The number of vulnerabilities in a system may increase because new vulnerabilities in software used by the JPSS\nprogram are constantly being uncovered and publicly reported (e.g., by software vendors, security researchers).\nAdditionally, changes made to the existing system (for example, installing new software or operating systems) may\nintroduce new vulnerabilities if IT security protections are not fully integrated with the changes.\n\n\n                                                        2\n\x0c                 Figure 1. Number of High-Risk Vulnerability Instances\n       in the JPSS Ground System, by Quarter, FY 2012 to FY 2014 2nd Quarter\n\n       30,000\n\n\n\n       20,000\n                                                                                           23,868\n\n\n                14,486\n       10,000\n                  Q1       Q2      Q3      Q4       Q1      Q2      Q3       Q4      Q1       Q2\n                             FY 2012                          FY 2013                  FY 2014\n\n       Source: JPSS Quarterly Ground System Vulnerability Assessment Analysis Reports FYs 2012\xe2\x80\x932014\n\n\n\n\nObjectives, Findings, and Recommendations\n\nThe objective of our audit was to assess the effectiveness of NOAA\xe2\x80\x99s IT security program by\ndetermining whether key security measures adequately protect NOAA\xe2\x80\x99s systems. (For detailed\nobjectives, scope, and methodology please see appendix A.) We found that the JPSS program\nneeds to expedite its efforts to reduce the current IT security-related risks to its ability to\nsupport critical weather forecasting operations and improve the overall security posture of\nJPSS\xe2\x80\x99 ground system.\n\n  I.   Expedite Remediation of High-Risk Vulnerabilities\n\n   Although full implementation of many of the missing and partially implemented security\n   controls requires the significant changes that are planned for the next iteration of this\n   system, there are steps the program can take now to improve its security posture. We\n   found that there are numerous high-risk vulnerabilities that we believe can be corrected\n   with only minor alterations to the existing system. In the past, these have taken a year or\n   more to remediate, because the JPSS program has seldom used the expedited processes it\n   has developed to deploy high-risk security fixes and did not direct the contractor\n   responsible for the ground system to use these processes to remediate vulnerabilities in a\n   timely manner.\n\n   A. Many High-Risk Vulnerabilities Are Remediable with Minor Alterations to the Existing System\n\n       We examined the JPSS ground system\xe2\x80\x99s vulnerabilities that were identified by the\n       program and believe that there are high-risk vulnerabilities that could be remediated by\n       making minor alterations to the existing system. These include:\n\n\n\n\n                                                    3\n\x0c      \xe2\x80\xa2    More than 9,100 instances of high-risk vulnerabilities identified by vulnerability\n           scans, including (a) out-of-date software versions or missing security patches, (b)\n           insecurely configured software, and (c) unnecessary user privileges within the\n           operating systems and software.\n\n      \xe2\x80\xa2    More than 3,600 instances where password and auditing settings need to be\n           configured in accordance with JPSS policy.\n\n      \xe2\x80\xa2    Unnecessary software applications that need to be removed or disabled.\n\n      \xe2\x80\xa2    Three outstanding vulnerabilities identified by penetration testing conducted in\n           June 2012.\n\n   We believe remediating these vulnerabilities should require only minor alterations to\n   the existing system because they include simple actions, such as deploying missing\n   security patches and updates that are compatible with the existing system and are\n   available from vendors; correcting minor misconfigurations in applications or operating\n   systems; or removing unneeded applications.\n\nB. Remediation of Vulnerabilities Has Been Slow\n\n   The JPSS security policy for the ground system requires remediation of high-risk\n   vulnerabilities within 30 days of identification and remediation on a quarterly basis for\n   moderate- to low-risk flaws. However, it took the JPSS program 11 to 14 months to\n   remediate high-risk vulnerabilities it identified in the ground system. We found that\n\n       \xe2\x80\xa2   The vulnerabilities the program determined it could fix that were identified from\n           penetration testing in June 2012 were not remediated until September 2013.\n\n       \xe2\x80\xa2   Most of the vulnerabilities resulted from flaws in software that was running\n           within the system. However, the time between deployments of software updates\n           and security patches to remediate these flaws varied from 11 to 14 months\n           during the period 2011 to 2013, meaning that remediation activities only\n           occurred about once a year.\n\n   Remediating vulnerabilities at such intervals is not sufficient to keep up with the rapid\n   growth in the number of vulnerabilities found in the system (see figure 1). For the last 2\n   years, the JPSS program had planned to address system vulnerabilities by means of two\n   maintenance releases per year. Not only did this fall significantly short of the system\xe2\x80\x99s\n   requirement for patching high-risk vulnerabilities within 30 days but, of the two\n   maintenance releases scheduled each year, only one was actually performed. According\n   to JPSS management, since 2011 maintenance releases to the system were suspended\n   for 344 days to allow for the evaluation of contractor performance and conducting\n   important operational events, such as preparation for the launch of the Suomi NPP\n   satellite and subsequent on-orbit testing.\n\n\n\n\n                                             4\n\x0c        The remediation of high-risk vulnerabilities is critical to the continued success of the\n        JPSS mission and should have a high priority. The more high-risk vulnerabilities that exist\n        in the system, the higher the probability is that an attacker could compromise it. This\n        could lead to a disruption of NOAA\xe2\x80\x99s ability to command and control the Suomi NPP\n        satellite and to provide data that is used in numerical weather models that support\n        weather predictions and climate monitoring. The importance of remediating these\n        vulnerabilities justifies addressing them outside the regular cycle of maintenance\n        deployments.\n\n        Processes for deploying urgent updates are in place. Using these processes would have\n        made it possible for the JPSS program to correct many high-risk vulnerabilities in an\n        expedited manner. Also, the vulnerability management plan for the ground system\n        includes monitoring and prioritization of vulnerabilities by the ground system\xe2\x80\x99s Patch\n        and Vulnerability Group (PVG), which is a group of system and IT security experts\n        within the JPSS program. Since June 2012, the PVG repeatedly recommended that high-\n        risk vulnerabilities be corrected immediately. However, the JPSS program only used the\n        urgent update processes once during this time period, to remediate one vulnerability.\n\n        Urgent updates to the JPSS ground system were not performed because the program\n        did not require that the ground system contractor remediate vulnerabilities in a timely\n        manner. The contractor was required to remediate vulnerabilities identified by the JPSS\n        program in its plans of action and milestones (POA&Ms)\xe2\x80\x94a management tool used to\n        identify, assess, prioritize, and monitor efforts to correct IT security vulnerabilities\xe2\x80\x94but\n        the POA&Ms created by the JPSS program allowed 8\xe2\x80\x9313 months for correction of high-\n        risk vulnerabilities. Thus, the JPSS program did not effectively use its POA&Ms to ensure\n        that high-risk vulnerabilities were remediated in a timely manner.\n\n        While the fieldwork for this audit was being conducted, the JPSS program began\n        implementation of a plan that would deploy fixes to correct vulnerabilities quarterly\n        instead of semiannually, by adding two deployments to the two already planned each\n        year. But even if the JPSS program is able to successfully deploy fixes quarterly, there\n        will still be gaps of potentially up to 3 months before some high-risk vulnerabilities can\n        be addressed.\n\n    Conclusions\n\n        It is essential that the JPSS program\xe2\x80\x99s existing urgent update processes be used to\n        correct high-risk vulnerabilities in the ground system\xe2\x80\x99s critical components. 8 We believe\n        that the types of high-risk vulnerabilities we have identified in finding I(a) of this\n        memorandum can be fixed in an expedited manner and should be addressed as soon as\n        possible. Although these measures will not address all vulnerabilities, we believe that\n        they will improve protection of the current JPSS ground system until NOAA deploys\n        the next iteration of its ground system. Considering that the current system\xe2\x80\x99s security\n\n8\n JPSS ground system critical components include those that are associated with command, control, and\ncommunication of the satellite and that process data used in numeric weather models and forecast offices in\nAlaska.\n\n\n                                                        5\n\x0c       posture was at a disadvantage from the outset\xe2\x80\x94having not incorporated security into\n       its development when it was transitioned into the JPSS\xe2\x80\x94the program needs to ensure\n       that the security measures planned for the next iteration of the ground system are\n       included from the beginning and not added later or deferred.\n\n   Recommendations\n\n       To reduce the risks of compromise to the JPSS ground system, we recommend that the\n       NOAA Assistant Administrator for Satellite and Information Services and NOAA\xe2\x80\x99s\n       Chief Information Officer ensure that\n\n           1. The JPSS program review the types of vulnerabilities identified in finding 1(a) of\n              this memorandum and, where possible, correct them as soon as feasible.\n\n           2. Urgent system update processes are used to deploy high-risk security-related\n              software patches and updates, based on the criticality of the patches and the\n              system components affected.\n\n           3. POA&Ms require that newly discovered, high-risk, JPSS vulnerabilities be\n              remediated within 3 months.\n\nWe have summarized your agency\xe2\x80\x99s response in this memorandum and included the formal\nresponse as appendix B. The final memorandum will appear on the OIG website pursuant to\nsection 8M of the Inspector General Act of 1978, as amended.\n\nIn accordance with Department Administrative Order 213-5, please provide us with your\naction plan within 60 days of the date of this memorandum. We appreciate the cooperation and\ncourtesies extended to us by your staff during our audit. If you have any questions or concerns\nabout this memorandum, please contact me at (202) 482-1855 or Dr. Ping Sun, Director for IT\nSecurity, at (202) 482-6121.\n\nAttachment\n\ncc: Steve Cooper, Chief Information Officer\n    Mark Paese, Acting Assistant Administrator for Satellite and Information Services, NOAA\n    Zachary Goldstein, Acting Chief Information Officer, NOAA\n    Mike Maraya, Acting Director, Office of Cyber Security, and Chief Information Security\n      Officer\n    Harry Cikanek, Director, JPSS Program, NOAA\n    Lawrence Reed, Director, Cyber Security Division, NOAA\n    Irene Parker, Acting Assistant Chief Information Officer, Satellite and Information Service,\n      NOAA\n    Brian Doss, Audit Liaison, NOAA\n    Susan Schultz Searcy, Audit Liaison, Office of the Chief Information Officer\n\n\n\n\n                                                6\n\x0cSummary of Agency Response and OIG Comments\n\nNOAA Response\n\nIn response to our draft memorandum, NOAA concurred with our recommendations. NOAA\nindicated that it had already implemented recommendation 2, explaining that it remediated the\nHeartbleed vulnerability 9 during the third quarter of FY 2014. NOAA also requested deletion\nof the following sentence on page 5, paragraph 3, \xe2\x80\x9cUsing these processes would have made it\npossible for the JPSS program to correct high-risk vulnerabilities in an expedited manner.\xe2\x80\x9d\nNOAA requested this deletion to reflect remediation of Heartbleed in an accelerated manner.\nNOAA\xe2\x80\x99s complete formal response is included as appendix B.\n\nOIG Comments\n\nIn preparing this final report, we thoroughly considered NOAA\xe2\x80\x99s formal comments and\ninformal comments made in discussions and other communications subsequent to the issuance\nof our draft report.\n\nWith regard to NOAA\xe2\x80\x99s response concerning recommendation 2, remediating the Heartbleed\nvulnerability in an expedited manner is a step in the right direction, however numerous\nvulnerabilities remain. Going forward, we encourage NOAA, as it corrects the existing and\nfuture vulnerabilities within the JPSS ground system, to fully implement this recommendation.\n\nIn regard to NOAA\xe2\x80\x99s request in its response for removal of our sentence on page 5 paragraph\n3, NOAA\xe2\x80\x99s assertion that it remediated the Heartbleed vulnerability does not change the fact\nthat the JPSS program could have remediated many high-risk vulnerabilities using its urgent\nupdate processes, especially those recommended by its PVG group for immediate correction.\nAs noted in our memorandum, these processes were seldom used. We have added the word\n\xe2\x80\x9cmany\xe2\x80\x9d to this sentence to avoid misinterpretation that the JPSS program has not remediated\nany vulnerabilities using urgent update processes.\n\n\n\n\n9\n Heartbleed is a vulnerability in commonly used versions of open-source cryptographic software that received\nwidespread media attention in April 2014 because it could allow attackers to expose sensitive data.\n\n\n                                                       7\n\x0cAppendix A: Objectives, Scope, and Methodology\nOur audit objective was to assess the effectiveness of NOAA\xe2\x80\x99s information security program by\ndetermining whether key security measures adequately protect NOAA\xe2\x80\x99s systems. In\ncontribution to this objective, we reviewed the implemented security controls and known\nvulnerabilities of the JPSS ground system. To do so, we\n\n   \xe2\x80\xa2   Reviewed the system-related artifacts since FY 2011, including risk, vulnerability, and\n       security control assessments; policy and procedures; planning documents; and other\n       material related to the current security posture of the ground system, and\n\n   \xe2\x80\xa2   Interviewed operating unit personnel including IT security officers and organizational\n       directors.\n\nWe reviewed NOAA\xe2\x80\x99s compliance with the following applicable internal controls, provisions of\nlaw, regulation, and mandatory guidance:\n\n   \xe2\x80\xa2   The Federal Information Security Management Act of 2002\n\n   \xe2\x80\xa2   IT Security Program Policy and Minimum Implementation Standards, U.S. Department of\n       Commerce, introduced by the Chief Information Officer on January 9, 2009, and\n       applicable Commerce Information Technology Requirements\n\n   \xe2\x80\xa2   NIST Federal Information Processing Standards Publications:\n\n           o 199, Standards for Security Categorization of Federal Information and\n             Information Systems\n\n           o 200, Minimum Security Requirements for Federal Information and Information\n             Systems\n\n   \xe2\x80\xa2   NIST Special Publications:\n\n           o 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal\n             Information Systems: A Security Life Cycle Approach\n\n           o 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems\n             and Organizations\n\n           o 800-53A Rev 1, Guide for Assessing the Security Controls in Federal Information\n             Systems and Organizations, Building Effective Security Assessment Plans\n\nWe conducted our field work on the JPSS ground system portion of our FISMA audit of the\nNOAA IT security program from October 2013 to May 2014. We performed this audit under\nthe authority of the Inspector General Act of 1978, as amended, and Department Organization\nOrder 10-13, dated April 26, 2013, and in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\n\n\n                                                8\n\x0cbased on our audit objectives. We believe that the evidence obtained provides a reasonable\nbasis for our findings and conclusions.\n\n\n\n\n                                              9\n\x0cAppendix B: Agency Response\n\n\n\n\n                              10\n\x0c11\n\x0c011200000163\n\n\n\n\n    12\n\x0c'